Phishing Campaign Exploits Google Storage to Deploy Remcos RAT

Severity: High (Score: 67.5)

Sources: Gbhackers, Cybersecuritynews, Reddit

Summary

A phishing campaign has been detected that exploits Google Cloud Storage to deliver the Remcos remote access trojan (RAT). Attackers host a fake Google Drive login page on the legitimate domain storage.googleapis.com, which appears trustworthy to users and security tools. The phishing page collects user credentials, including email, password, and one-time passcode. Upon successful login, victims are prompted to download a malicious JavaScript file that initiates a multi-stage attack chain. This chain includes executing VBS scripts and using a legitimate Microsoft binary, RegSvcs.exe, to inject the Remcos payload into memory, making detection challenging. The use of trusted infrastructure allows the phishing links to bypass many security filters. Security professionals are advised to enhance monitoring for suspicious script activity and unusual file paths. The campaign is ongoing, affecting users globally. Key Points: • Phishing campaign uses Google Cloud Storage to deliver Remcos RAT. • Attackers exploit trusted infrastructure to evade detection. • Multi-stage attack includes credential theft and malware injection.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• ClickFix (malware)
• Atomic Stealer (malware)
• Remcos (malware)
• storage.googleapis.com (domain)
• T1055.012 - Process Hollowing (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Google Cloud Storage (platform)
• Windows (platform)
• Google Drive (tool)
• PowerShell (tool)
• RegSvcs.exe (tool)
• Windows Script Host (tool)